System and method to protect the privacy of ADS-B messages

ABSTRACT

System and method to protect the privacy of ADS-B messages transmitted by aircraft. The system includes one or more ground stations with a ground station control unit and a ground ADS-B transponder for receiving an ADS-B message. The ground station control unit includes an aircraft position determination module for retrieving an aircraft position included in the ADS-B message; an operating conditions module for determining the fulfillment of operating conditions including determining if the aircraft position is an actual aircraft position; and a fake aircraft position generator for computing one or more fake aircraft positions. The ground station control unit broadcasts one or more fake ADS-B messages including the fake aircraft positions if the operating conditions are met. With this system only trusted receivers can obtain the real position of the aircraft.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of, and priority to, European PatentApplication No. 16382272.9, filed on Jun. 14, 2016 and entitled “Systemand method to protect the privacy of ADS-B messages,” the contents ofwhich are herein incorporated by reference in their entirety.

FIELD OF THE INVENTION

The present disclosure relates generally to the field of avionics. Moreparticularly, the present disclosure relates to methods and systems forprotecting the privacy of real-time aircraft position in ADS-B databroadcast to avoid malicious attacks.

BACKGROUND OF THE INVENTION

Automatic dependent surveillance-broadcast (ADS-B) is a surveillancetechnology for tracking aircraft. There are several types of certifiedADS-B data links: 978 MHz universal access transceiver (UAT) and 1090MHz extended squitter (ES).

Aircraft equipped with ADS-B Out service periodically broadcastsreal-time aircraft information through an onboard transmitter, includingthe aircraft identification, current position, altitude, and velocity.

In all cases ADS-B data is publicly available since it is unencryptedand can be collected with any compatible radio receiver.

Therefore, there is a need to safeguard the privacy of an aircraftprecise location.

SUMMARY OF THE INVENTION

Currently, aircraft positions are widely available to anyone in thepublic. The present disclosure refers to a system and method to protectthe privacy of ADS-B messages transmitted by aircraft, addressing thisnew threat by generating fake aircraft positions such that only trustedreceivers can know the real position of the aircraft.

In accordance with one aspect of the present disclosure there isprovided a system for protecting the privacy of ADS-B messages. Thesystem includes one or more ground stations. Each ground stationincludes a ground station control unit and a ground ADS-B transponderfor receiving an ADS-B message. The ground station control unitincludes:

-   -   An aircraft position determination module for retrieving an        aircraft position included in the ADS-B message.    -   An operating conditions module for determining the fulfillment        of one or more operating conditions, said operating conditions        at least including determining if the aircraft position is an        actual aircraft position.    -   A fake aircraft position generator for computing one or more        fake aircraft positions.

The ground station control unit is configured for broadcasting one ormore fake ADS-B messages including the fake aircraft positions if theoperating conditions are met.

The operating conditions may also include determining if the aircraftposition is located inside a region of interest.

The fake aircraft position generator preferably computes the fakeaircraft positions by using a transformation function. The operatingconditions module may be configured to determine if the aircraftposition is an actual aircraft position by using the transformationfunction. The transformation function is such that when applied to anactual aircraft position generates the fake aircraft positions, and whenapplied to a fake aircraft position generates at least the same fakeaircraft position.

In an embodiment, the transformation function is a geometric projectivetransformation over a surface. The region of interest may be defined bythe surface used in the geometric projective transformation. Thegeometric projective transformation may be, for instance, a projectionover a conical surface, a convex surface (such as a hyperbolic surface)or a frustum surface.

In accordance with a further aspect of the present disclosure there isprovided a method of protecting the privacy of ADS-B messages. Themethod includes:

-   -   Receiving an ADS-B message.    -   Retrieving an aircraft position included in the ADS-B message.    -   Determining the fulfillment of one or more operating conditions,        said operating conditions at least including determining if the        aircraft position is an actual aircraft position.    -   If the operating conditions are met generating one or more fake        aircraft positions and broadcasting one or more fake ADS-B        messages including the fake aircraft positions.

The ADS-B obfuscation method is used by ground-based stations togenerate fake aircraft positions when certain conditions are met. TheADS-B obfuscation method is particularly useful when the aircraft isflying low, near an airport (during landing or take-off). Fake aircraftpositions are broadcast to prevent the actual aircraft position beingidentified by unintended users. Trusted receivers share with the groundstations a key to differentiate fake aircraft positions from realaircraft positions.

The ADS-B aircraft position obfuscation is performed in dangerous areas.The system and method allows creating an area where only trusted partiescan use ADS-B data, for instance a terminal maneuvering area. The systemgenerates, starting from real position messages, a set of fake messagesthat only trusted partners can distinguish from the real ones. In aregion of interest a receiver feeds a system generating the fakemessages and then an emitter transmits it to all the receivers in thearea. The trusted receivers also use the obfuscation algorithm todifferentiate the real message from the fake ones.

The system generates multiple fake trajectories indistinguishable fromthe real one, such that only trusted receivers can know the realposition of the aircraft. The ADS-B obfuscation algorithm generating thefake trajectories is tailored to a region of interest (an area toprotect). With the system in operation use of ADS-B data requires anexchange of keys used for generating the fake messages and thealgorithms for reversing the obfuscation. This way, the system candetermine the trusted receivers which can use the ADS-B data broadcastin a region of interest. Another advantage of the present disclosure isthat a certain trusted receiver can immediately be revoked by justchanging the key parameters of the obfuscation algorithm (the new keyparameters will not be distributed to untrusted receivers).

The features, functions, and advantages that have been discussed can beachieved independently in various embodiments or may be combined in yetother embodiments further details of which can be seen with reference tothe following description and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

A series of drawings which aid in better understanding the invention andwhich are expressly related with an embodiment of said invention,presented as a non-limiting example thereof, are very briefly describedbelow.

FIG. 1 depicts a schematic diagram of a system for protecting theprivacy of ADS-B messages transmitted by an aircraft.

FIG. 2 represents a flow diagram of the ADS-B obfuscation algorithm.

FIG. 3 illustrates the process of obtaining the geometric transformationdata used by the ADS-B obfuscation algorithm.

FIGS. 4A-4C represent a conic mirroring process for obtaining the fakeaircraft positions. FIG. 4D represents a convex mirroring process forobtaining the fake aircraft positions.

FIG. 5 depicts the application of a transformation function to actualaircraft positions.

FIG. 6 shows a diagram of the obfuscation method in which a geometricprojective transformation is used to obtain fake aircraft positions.

FIG. 7 represents a system comprising two different ground stations neara runway.

FIG. 8 shows the application of the transformation function todifferentiate the actual aircraft position from the fake positions.

DETAILED DESCRIPTION

FIG. 1 represents a schematic diagram of an embodiment of a system forprotecting the privacy of ADS-B messages transmitted by an aircraft. Thesystem includes one or more ground stations 100. Each ground station 100is a ground-based infrastructure comprising a ground ADS-B transponder102 (ADS-B receiver and ADS-B emitter) coupled to a ground stationcontrol unit 104. The ground station 100 is preferably located close toan airport.

An aircraft 140 using ADS-B services periodically emits ADS-B messages120 including, among other data, the aircraft identifier, currentaircraft position 112 and aircraft speed. When the aircraft 140 isflying near the ground station 100, the ADS-B message 120 is received bythe ground ADS-B transponder 102. Thereafter, an aircraft positiondetermination module 106 of the ground station control unit 104 analyzesthe ADS-B message 120, retrieving the aircraft position 112 anddetermining whether this aircraft position 112 is located inside aregion of interest or not. The region of interest is a first filter usedby the ground station control unit 104 to determine if fake ADS-Bmessages are to be transmitted. As it will later be explained,additional filters or conditions may be used.

An operating conditions module 108 included in the ground stationcontrol unit 104 is responsible for determining if one or more operatingconditions 114 are met. The operating conditions 114 at least includethe condition of the aircraft position 112 being located inside theregion of interest. If the operating conditions 114 are met, a fakeaircraft position generator 110 computes at least one fake aircraftposition 116 and the ground station control unit 104 broadcast, usingthe ground ADS-B transponder 102, at least one ADS-B message 130including the fake aircraft positions 116.

FIG. 2 depicts a flow diagram showing the steps of a method ofprotecting the privacy of ADS-B messages according to a possibleembodiment, implemented by the ground station control unit 104. An ADS-Bmessage 120 is received and decoded 202 to obtain the aircraft positionincluded in the message, taking into account the ADS-B position messagestypes 204 previously stored. In 206 a check to obtain a position of theaircraft (including the latitude, longitude and altitude of theaircraft) is performed. If no position can be retrieved, no furtheraction is taken 220. If a position is obtained, said position iscompared 208 with a region of interest, considering the geographiccoordinates of the region of interest 210 previously stored.

If the aircraft position is inside the region of interest 212, thereceived ADS-B message is compared 214 with a plurality of fake messagesstored in a fake messages database 216. Otherwise, no further action istaken 220.

If the received ADS-message is a fake message 218, a computation 221 toobtain one or more fake aircraft positions is performed. Otherwise, nofurther action is taken 220.

According to the embodiment shown in FIG. 2, the computation 221includes a geometric projective transformation taking into account somegeometric transformation data 222 previously obtained or stored in amemory or a database.

Once a fake aircraft position is computed 221, a fake ADS-B positionmessage is generated 224 and broadcast 226. If several fake aircraftpositions are obtained, the same number of ADS-B messages including saidfake aircraft positions are generated and broadcast. When the last fakeADS-B message is broadcast, the system keeps waiting 228 for the nextADS-B message to be received.

As shown in FIG. 2, geometric transformation data 222 can be employedfor the calculation of fake aircraft positions. FIG. 3 shows anobfuscation process of obtaining the geometric transformation data 222according to an embodiment. First, a setup 300 of the obfuscationprocess is established. In 302 the type of geometric projectivetransformation to apply is selected, such as convex mirroring or conicmirroring. Several relevant data required for the selected geometricprojective transformation is retrieved from a memory or repository 304.The relevant data may include, for instance, the geographical parametersof the region of interest, maps, charts, etc.

A set of geometric transformation parameters are then generated 306 anddistributed 308 to one or more trusted receivers, including the groundstation control unit 104. The geometric transformation parameters arestored in a repository 310. By accessing the repository 310, thegeometric transformation data 222 is retrieved to calculate fakeaircraft positions.

FIGS. 4A and 4B represent an example of a geometric projectivetransformation of an aircraft position using conic mirroring or conicalprojection on a conical/lateral surface 410 of a cone 406 aligned with arunway 404, the vertex 412 of the cone in the aiming point area of therunway 404, the cone 406 with a length such that it covers the region ofinterest.

The schematic view of an aircraft 140 approaching a ground station 100is depicted in FIG. 4A, the ground station 100 being located close to arunway 404. For every actual aircraft position 400 inside the cone 406(which can be considered the region of interest), a fake aircraftposition 116 is computed as the intersection of a line 402 perpendicularto the cone axis 408 with the lateral surface 410 of the cone. Thevertex 412 of the cone may coincide with the location of the groundstation 100, although the ground station 100 may be positioned at adifferent location.

FIG. 4B depicts a projected view of FIG. 4A, showing the intersection Eof the orthogonal line 402 with axis 408, the line segment D from thevertex 412 to the actual aircraft position 400, the line segment D′ fromthe vertex 412 to the intersection E and the angle α between linesegment D and axis 408. As shown in FIG. 4B, the line 402 can also beextended on both sides to intersect the lateral surfaces 410 of the coneat two different points, obtaining two fake aircraft position 116.

FIG. 4C represents a flow diagram of the conic mirroring process ofFIGS. 4A and 4B. Using the actual aircraft position 400 (latitude,longitude, altitude), the fake aircraft position generator 110:

-   -   Calculates 420 the distance from the actual aircraft position        400 to the cone vertex 412 (length of line segment D), using the        established cone vertex coordinates 422.    -   Calculates 424 the angle α between segment D and cone axis 408,        using the known cone axis direction 425.    -   Calculates 426 the distance from vertex 412 to intersection E        (length of line segment D′) and computes the coordinates of        intersection E.    -   Calculates 428 the intersection of orthogonal line 402 with        conical surface 410 using the cone base 430, obtaining the fake        aircraft position 116.

FIG. 4D represents another example of a geometric projectivetransformation, in particular a convex mirroring process for obtainingthe fake aircraft positions 116. A convex surface 440 (hyperbolicsurface, in the example of FIG. 4D) aligned with the runway 404 isdefined. The focus of the hyperbola is in the aiming point area of therunway 404, and the length of the hyperbola is such the area of interestis covered. For every actual aircraft position 400 inside the hyperbolicvolume 436, a fake aircraft position 116 is calculated as theintersection of a line 432 perpendicular to the hyperbola transverseaxis 438 with the hyperbolic surface 440.

The fake aircraft position generator 110 calculates, for each actualaircraft position 400, one or more fake aircraft positions 116 using atransformation function, a projective transformation that maps lines tolines (but not necessarily preserving parallelism). FIG. 5 depicts anexample of the application of a transformation function 500 to aplurality of actual aircraft positions 400 defining an actual flightpath 502. The output of the transformation function 500 is a set of fakeflight paths (504 a, 504 b, 504 c), each fake flight path being composedof a plurality of fake aircraft positions. In this depicted case thetransformation function 500 converts the input, actual aircraftpositions 400, into three different outputs, fake aircraft positions(116 a, 116 b, 116 c). The transformation function 500 may convert eachactual aircraft positions 400 into any number of fake aircraft positions(one or more).

In an embodiment, the transformation function 500 employed is ageometric projective transformation. For example, geometric projectivetransformations employed may be projections over a conical surface 410(FIG. 4A), a convex surface 440 (FIG. 4D) or a frustum surface. Theposition and orientation of these surfaces may vary, although they arepreferably with a relative position to the runway 404 such that thenearer the original points (actual aircraft positions 400) are to therunway 404 the more similar are the transformed points (fake aircraftpositions 116) to the original ones. The surfaces of the geometricprojective transformations may also be used to define the region ofinterest; in this case, the fake aircraft positions obtained by thegeometric projective transformations define flight trajectories insidethe region of interest.

The geometric projective transformation is a projection over a surface(a conical surface, a convex surface such as a hyperbolic, a frustumsurface, etc.). The selected geometric projective transformation has thefollowing properties: when applied to an actual aircraft position 400,the output is one or more fake aircraft positions 116, and when appliedto a fake aircraft position 116, one of the outputs is the fake aircraftposition 116 itself.

In an embodiment shown in FIG. 6, the transformation function 500applied by the fake aircraft position generator 110 is a geometricprojective transformation, such as a conic mirroring function or aconvex mirroring function, although other geometric projections overdifferent surfaces aligned with the runway can be employed, as long asthey comply with the same properties. The geometric projectivetransformation 500 employs the geometric parameters of the region ofinterest 520 and the selected type of geometric projectivetransformation 510 (e.g. conic mirroring 512, convex mirroring 514,Frustum mirroring 516) to generate the required geometric transformationparameters. With these parameters the geometric projectivetransformation 500 is completely defined.

The system may comprise a plurality of ground stations 100 forprotecting the privacy of ADS-B messages transmitted by an aircraft 140.FIG. 7 shows an overall view of the system comprising two differentground stations (100 a, 100 b) located near a runway 404. A region ofinterest 700 is defined by a close curve 702 surrounding the runway 404and an altitude interval (e.g. 0-400 m).

An aircraft 140 equipped with “ADS-B Out” technology periodicallybroadcasts its position using ADS-B messages 120. In FIG. 7 a firstground station 100 a is close enough to the aircraft 140 to receive theaircraft position 112 included in ADS-B messages 120. The first groundstation 100 a verifies that the aircraft 140 is located inside theregion of interest 700 (in the example shown in FIG. 7, latitude andlongitude defining a position within the area defined by the close curve702, and altitude between 0 and 400 m). When the received aircraftposition 112 included in an ADS-B message is outside the region ofinterest 700, the ground stations 100 do not further process the ADS-Bmessage.

If the received aircraft position 112 is located inside the region ofinterest 700, the first ground station 100 a additionally verifies thatsaid aircraft position 112 is an actual aircraft position 400, and not afake aircraft position 116 previously generated by another groundstation. In that case, the first ground station 100 a employs atransformation function 500 to derive from that aircraft position anumber of alternative fake positions 116.

For each actual aircraft position 400 received, the first ground station100 a generates and broadcasts an array of fake ADS-B messages 130, eachfake ADS-B message 130 incorporating a different fake aircraft position116. All ground stations receiving ADS-messages (120,130) process themto broadcast fake aircraft positions if the operating conditions 114 aremet. This way, when the aircraft 140 is close enough to a second groundstation 100 b, the latter receives the actual aircraft position 400 andbroadcasts fake aircraft positions 116. If the second ground station 100b receives fake ADS-B messages 130 broadcast by the first ground station100 a, the second ground station 100 b is aware that they contain fakeaircraft positions 116 and do nothing.

FIG. 7 also shows several trusted receivers 704 in the vicinity of therunway 404. Trusted receivers 704 receive both the actual aircraftposition 400 transmitted from the aircraft 140 and the aircraft fakepositions 116 broadcast by the first ground station 100 a. As shown inFIG. 8, the trusted receivers 704 use the same transformation function500 (i.e. the transformation function previously used to calculate thefake aircraft positions 116) to differentiate the actual aircraftposition 400 from the fake aircraft positions 116.

The key parameters to apply the transformation function 500 is sharedamong trusted receivers 704 and ground stations (100 a, 100 b), forinstance using a secure wired network 706. This way the trustedreceivers 704 can differentiate between fake ADS-B messages 130 andactual ADS-B messages 120. Similarly, the ground stations (100 a, 100 b)also use the transformation function 500.

On the contrary, untrusted receivers 708 receive both actual and fakeaircraft positions, but cannot differentiate them since they are notaware of the transformation function 500 to apply. The untrustedreceiver 708 receive ADS-B messages including the position of theaircraft 140, but they are not consistent since the aircraft 140 seemsto follow several different paths at the same time. Therefore, untrustedreceivers 708 cannot distinguish the actual position of the aircraft140.

FIG. 8 depicts the application of a transformation function 500 to anarray of aircraft positions 802 received during a short time interval bya trusted receiver 704 or a ground station (100 a, 100 b). Inparticular, the array of aircraft positions contains three differentpositions: position A, which corresponds to the actual aircraftposition, and positions B and C, which are fake aircraft positions. Todetermine which position is the actual aircraft position 400, thetransformation function 500 previously used to calculate the fakeaircraft positions 116 is now applied.

When applying the transformation function 500 to position A, the othertwo positions B and C are obtained, which determines that position A isan actual aircraft position 400. However, when applying thetransformation function 500 to position B, the position B itself isobtained along with another position (position X), which determines thatposition B is a fake aircraft position 116. Similarly, when applying thetransformation function 500 to position C, the position C itself isobtained along with another position (position Y), which determines thatposition C is also a fake aircraft position 116. Therefore, thetransformation function 500 applied to a fake aircraft position does notgenerate the other aircraft positions; however, the transformationfunction 500 applied to an actual aircraft position 400 generates allthe other fake aircraft positions 116. This way the receiver can decidewhich ADS-B message is real and which is fake. In other words:

When applying the transformation function 500 to an actual aircraftposition 400, the other fake aircraft positions 116 are obtained.

When a transformation function 500 is applied to a fake aircraftposition 116, at least the same fake aircraft position 116 is obtained.

The invention claimed is:
 1. A system for protecting the privacy ofautomatic dependent surveillance-broadcast (ADS-B) messages, the systemcomprising at least one ground station comprising: a ground ADS-Btransponder configured for receiving an ADS-B message; a ground stationcontrol unit comprising: an aircraft position determination module forretrieving an aircraft position included in the ADS-B message; anoperating conditions module for determining the fulfillment of one ormore operating conditions, said operating conditions at least includingdetermining if the aircraft position is an actual aircraft position; anda fake aircraft position generator for computing one or more fakeaircraft positions using a geometric projective transformation of theactual aircraft position over a surface; wherein the ground stationcontrol unit is configured for broadcasting one or more fake ADS-Bmessages including the fake aircraft positions if the operatingconditions are met.
 2. The system of claim 1, wherein the operatingconditions further includes determining if the aircraft position islocated inside a region of interest.
 3. The system of claim 1, whereinthe operating conditions module is configured for determining if theaircraft position is an actual aircraft position by using the geometricprojective transformation, the geometric projective transformation beingsuch that: when applied to an actual aircraft position the geometricprojective transformation generates the fake aircraft positions; andwhen applied to a fake aircraft position the geometric projectivetransformation generates at least the same fake aircraft position. 4.The system of claim 1, wherein the operating conditions further includesdetermining if the aircraft position is located inside a region ofinterest, and wherein the region of interest is defined by the surfaceused in the geometric projective transformation.
 5. The system of claim1, wherein the geometric projective transformation is a projection overa conical surface.
 6. The system of claim 1, wherein the geometricprojective transformation is a projection over a convex surface.
 7. Thesystem of claim 1, wherein the fake aircraft position generator isconfigured to retrieve data for the geometric projective transformationfrom a memory and to generate the geometric projective transformation.8. A method of protecting the privacy of ADS-B messages, comprising:receiving an ADS-B message; retrieving an aircraft position included inthe ADS-B message; determining the fulfillment of one or more operatingconditions, said operating conditions at least including determining ifthe aircraft position is an actual aircraft position; in response to theoperating conditions being met: generating one or more fake aircraftpositions using a geometric projective transformation of the actualaircraft position over a surface; and broadcasting one or more fakeADS-B messages including the fake aircraft positions.
 9. The method ofclaim 8, wherein the operating conditions further include determining ifthe aircraft position is located inside a region of interest.
 10. Themethod of claim 8, wherein the step of determining if the aircraftposition is an actual aircraft position comprises using the geometricprojective transformation such that: when applied to an actual aircraftposition the geometric projective transformation generates the fakeaircraft positions; and when applied to a fake aircraft position thegeometric projective transformation generates at least the same fakeaircraft position.
 11. The method of claim 8, wherein the geometricprojective transformation is a projection over a conical surface. 12.The method of claim 8, wherein the geometric projective transformationis a projection over a convex surface.
 13. The method of claim 8,further comprising: retrieving data for the geometric projectivetransformation from a memory; and generating the geometric projectivetransformation.
 14. A system for protecting the privacy of automaticdependent surveillance-broadcast (ADS-B) messages, the systemcomprising: an aircraft position determination module for retrieving anaircraft position included in an ADS-B message; an operating conditionsmodule for determining the fulfillment of one or more operatingconditions, said operating conditions at least including determining ifthe aircraft position is an actual aircraft position; a fake aircraftposition generator for computing one or more fake aircraft positionsusing a geometric projective transformation over a surface; and atransponder for broadcasting one or more fake ADS-B messages includingthe fake aircraft positions if the operating conditions are met.
 15. Thesystem of claim 14, wherein the operating conditions further includedetermining if the aircraft position is located inside a region ofinterest.
 16. The system of claim 14, wherein the surface is a conicalsurface.
 17. The system of claim 14, wherein the operating conditionsmodule is configured for determining if the aircraft position is anactual aircraft position by using the geometric projectivetransformation, the geometric projective transformation being such that:when applied to an actual aircraft position the geometric projectivetransformation generates the fake aircraft positions; and when appliedto a fake aircraft position the geometric projective transformationgenerates at least the same fake aircraft position.
 18. The system ofclaim 14, wherein the surface is a convex surface.
 19. The system ofclaim 14, wherein the fake aircraft position generator is configured toretrieve data for the geometric projective transformation from a memoryand to generate the geometric projective transformation.
 20. The systemof claim 19, wherein the data includes the region of interest, maps,charts, or a combination thereof.